šŸ’¬ Security & Signing


  • Admin

    This thread contains comments for the article "Security & Signing" posted on MySensors.org.


  • Hardware Contributor

    Hi,

    i have a little bit problem to understand the Signing System. May Be an language Problem.

    If i want to use HW-Signing it is nessesary to use a ATSHA Chip on booth Systems (Gateway and Nodes)? Or is it possible to use ATSHA on the Node side (with REQUEST SIGNING) and set "MY_SINGING_SOFT" on the Gateway?

    In the last case it does not work. . . may be somthink wrong in my sketch.

    My Test-Sketch (Node)

    /**
     * The MySensors Arduino library handles the wireless radio link and protocol
     * between your home built sensors/actuators and HA controller of choice.
     * The sensors forms a self healing radio network with optional repeaters. Each
     * repeater and gateway builds a routing tables in EEPROM which keeps track of the
     * network topology allowing messages to be routed to nodes.
     *
     * Created by Henrik Ekblad <henrik.ekblad@mysensors.org>
     * Copyright (C) 2013-2015 Sensnology AB
     * Full contributor list: https://github.com/mysensors/Arduino/graphs/contributors
     *
     * Documentation: http://www.mysensors.org
     * Support Forum: http://forum.mysensors.org
     *
     * This program is free software; you can redistribute it and/or
     * modify it under the terms of the GNU General Public License
     * version 2 as published by the Free Software Foundation.
     *
     *******************************
     *
     * DESCRIPTION
     *
     * Example sketch showing how to send in DS1820B OneWire temperature readings back to the controller
     * http://www.mysensors.org/build/temp
     */
    
    
    // Enable debug prints to serial monitor
    #define MY_DEBUG 
    #define MY_DEBUG_VERBOSE_SIGNING
    
    // Enable and select radio type attached
    #define MY_RADIO_NRF24
    #define MY_RF24_PA_LEVEL RF24_PA_MAX
    #define MY_BAUD_RATE 115200
    #define MY_NODE_ID 50
    #define MY_RF24_CHANNEL 105
    //#define MY_SIGNING_SOFT
    #define MY_SIGNING_ATSHA204
    #define MY_SIGNING_ATSHA204_PIN 17
    #define MY_SIGNING_REQUEST_SIGNATURES
    
    
    #include <SPI.h>
    #include <MySensors.h>  
    #include <DallasTemperature.h>
    #include <OneWire.h>
    
    #define COMPARE_TEMP 1 // Send temperature only if changed? 1 = Yes 0 = No
    
    #define ONE_WIRE_BUS 4 // Pin where dallase sensor is connected 
    #define MAX_ATTACHED_DS18B20 16
    unsigned long SLEEP_TIME = 30000; // Sleep time between reads (in milliseconds)
    OneWire oneWire(ONE_WIRE_BUS); // Setup a oneWire instance to communicate with any OneWire devices (not just Maxim/Dallas temperature ICs)
    DallasTemperature sensors(&oneWire); // Pass the oneWire reference to Dallas Temperature. 
    float lastTemperature[MAX_ATTACHED_DS18B20];
    int numSensors=0;
    bool receivedConfig = false;
    bool metric = true;
    // Initialize temperature message
    MyMessage msg(0,V_TEMP);
    
    void before()
    {
      // Startup up the OneWire library
      sensors.begin();
    }
    
    void setup()  
    { 
      // requestTemperatures() will not block current thread
      sensors.setWaitForConversion(false);
    }
    
    void presentation() {
      // Send the sketch version information to the gateway and Controller
      sendSketchInfo("Gartenhaus", "1.0");
    
      // Fetch the number of attached temperature sensors  
      numSensors = sensors.getDeviceCount();
    
      // Present all sensors to controller
      for (int i=0; i<numSensors && i<MAX_ATTACHED_DS18B20; i++) {   
         present(i, S_TEMP);
      }
    }
    
    void loop()     
    {     
      // Fetch temperatures from Dallas sensors
      sensors.requestTemperatures();
    
      // query conversion time and sleep until conversion completed
      int16_t conversionTime = sensors.millisToWaitForConversion(sensors.getResolution());
      // sleep() call can be replaced by wait() call if node need to process incoming messages (or if node is repeater)
      //sleep(conversionTime);
    
      // Read temperatures and send them to controller 
      for (int i=0; i<numSensors && i<MAX_ATTACHED_DS18B20; i++) {
    
        // Fetch and round temperature to one decimal
        float temperature = static_cast<float>(static_cast<int>((getConfig().isMetric?sensors.getTempCByIndex(i):sensors.getTempFByIndex(i)) * 10.)) / 10.;
    
        // Only send data if temperature has changed and no error
        #if COMPARE_TEMP == 1
        if (lastTemperature[i] != temperature && temperature != -127.00 && temperature != 85.00) {
        #else
        if (temperature != -127.00 && temperature != 85.00) {
        #endif
    
          // Send in the new temperature
          send(msg.setSensor(i).set(temperature,1));
          // Save new temperatures for next compare
          lastTemperature[i]=temperature;
        }
      }
      //sleep(SLEEP_TIME);
    }
    

    My Test-Sketch Gateway:

     /**
     * The MySensors Arduino library handles the wireless radio link and protocol
     * between your home built sensors/actuators and HA controller of choice.
     * The sensors forms a self healing radio network with optional repeaters. Each
     * repeater and gateway builds a routing tables in EEPROM which keeps track of the
     * network topology allowing messages to be routed to nodes.
     *
     * Created by Henrik Ekblad <henrik.ekblad@mysensors.org>
     * Copyright (C) 2013-2015 Sensnology AB
     * Full contributor list: https://github.com/mysensors/Arduino/graphs/contributors
     *
     * Documentation: http://www.mysensors.org
     * Support Forum: http://forum.mysensors.org
     *
     * This program is free software; you can redistribute it and/or
     * modify it under the terms of the GNU General Public License
     * version 2 as published by the Free Software Foundation.
     *
     *******************************
     *
     * DESCRIPTION
     * The ArduinoGateway prints data received from sensors on the serial link.
     * The gateway accepts input on seral which will be sent out on radio network.
     *
     * The GW code is designed for Arduino Nano 328p / 16MHz
     *
     * Wire connections (OPTIONAL):
     * - Inclusion button should be connected between digital pin 3 and GND
     * - RX/TX/ERR leds need to be connected between +5V (anode) and digital pin 6/5/4 with resistor 270-330R in a series
     *
     * LEDs (OPTIONAL):
     * - To use the feature, uncomment any of the MY_DEFAULT_xx_LED_PINs
     * - RX (green) - blink fast on radio message recieved. In inclusion mode will blink fast only on presentation recieved
     * - TX (yellow) - blink fast on radio message transmitted. In inclusion mode will blink slowly
     * - ERR (red) - fast blink on error during transmission error or recieve crc error
     *
     */
    
    // Enable debug prints to serial monitor
    #define MY_DEBUG
    
    
    // Enable and select radio type attached
    #define MY_RADIO_NRF24
    
    // Set LOW transmit power level as default, if you have an amplified NRF-module and
    // power your radio separately with a good regulator you can turn up PA level.
    #define MY_RF24_PA_LEVEL RF24_PA_MAX
    
    // Enable serial gateway
    #define MY_GATEWAY_SERIAL
    
    // Define a lower baud rate for Arduino's running on 8 MHz (Arduino Pro Mini 3.3V & SenseBender)
    #define MY_BAUD_RATE 115200
    #define MY_NODE_ID 200
    #define MY_RF24_CHANNEL 105
    #define MY_SIGNING_SOFT
    
    // Enable inclusion mode
    #define MY_INCLUSION_MODE_FEATURE
    #define MY_INCLUSION_MODE_DURATION 60
    
    #include <MySensors.h>
    
    void setup() {
      // Setup locally attached sensors
    }
    
    void presentation() {
     // Present locally attached sensors
    }
    
    void loop() {
      // Send locally attached sensor data here
    }
    

    Log File from my Node:

    Starting sensor (RNNNAA, 2.0.0)
    TSM:INIT
    TSM:RADIO:OK
    TSP:ASSIGNID:OK (ID=50)
    TSM:FPAR
    TSP:MSG:SEND 50-50-255-255 s=255,c=3,t=7,pt=0,l=0,sg=0,ft=0,st=bc:
    TSP:MSG:READ 0-0-50 s=255,c=3,t=8,pt=1,l=1,sg=1:0
    Skipping security for command 3 type 8
    TSP:MSG:FPAR RES (ID=0, dist=0)
    TSP:MSG:PAR OK (ID=0, dist=1)
    TSM:FPAR:OK
    TSM:ID
    TSM:CHKID:OK (ID=50)
    TSM:UPL
    TSP:PING:SEND (dest=0)
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=24,pt=1,l=1,sg=0,ft=0,st=ok:1
    TSP:MSG:READ 0-0-50 s=255,c=3,t=25,pt=1,l=1,sg=1:1
    Skipping security for command 3 type 25
    TSP:MSG:PONG RECV (hops=1)
    TSP:CHKUPL:OK
    TSM:UPL:OK
    TSM:READY
    Signing required
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=15,pt=6,l=2,sg=0,ft=0,st=ok:0101
    Waiting for GW to send signing preferences...
    TSP:MSG:READ 0-0-50 s=255,c=3,t=15,pt=6,l=2,sg=0:0100
    Skipping security for command 3 type 15
    Mark node 0 as one that do not require signed messages
    Mark node 0 as one that do not require whitelisting
    TSP:MSG:SEND 50-50-0-0 s=255,c=0,t=17,pt=0,l=5,sg=0,ft=0,st=ok:2.0.0
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=6,pt=1,l=1,sg=0,ft=0,st=ok:0
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=11,pt=0,l=10,sg=0,ft=0,st=ok:Gartenhaus
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=12,pt=0,l=3,sg=0,ft=0,st=ok:1.0
    TSP:MSG:SEND 50-50-0-0 s=0,c=0,t=6,pt=0,l=0,sg=0,ft=0,st=ok:
    Request registration...
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=26,pt=1,l=1,sg=0,ft=0,st=ok:2
    TSP:MSG:READ 0-0-50 s=255,c=3,t=16,pt=0,l=0,sg=1:
    Skipping security for command 3 type 16
    Signing backend: ATSHA204
    SHA256: C218FD3906EE8FB300A7E3537C21E2F28655A522DEC5AAAD30810E7AADB3285F
    TSP:MSG:SEND 50-50-0-0 s=255,c=3,t=17,pt=6,l=25,sg=0,ft=0,st=ok:C218FD3906EE8FB300A7E3537C21E2F28655A522DEC5AAAD30
    Transmitted nonce
    TSP:MSG:READ 0-0-50 s=255,c=3,t=27,pt=1,l=1,sg=1:1
    Signature in message: 01BA5BD0193F0E5B474833E395DFA6C08715EA4E462A9EA2
    Message to process: 00320E231BFF01
    Current nonce: C218FD3906EE8FB300A7E3537C21E2F28655A522DEC5AAAD30AAAAAAAAAAAAAA
    HMAC: 737DE7BFBB721A51D231D02D2606DA19CB0F4E7EE04634DC21D19C3F90F791FD
    Signature bad: 017DE7BFBB721A51D231D02D2606DA19CB0F4E7EE04634DC
    Signature verification failed!
    !TSP:MSG:SIGN verify fail
    Init complete, id=50, parent=0, distance=1, registration=1
    

  • Hardware Contributor

    Hi,

    Did you check the SOFT_HMAC_KEY in your gateway with the skecth SecurityPersonalizer.ino ?
    He must be the same at the HMAC node.


  • Hardware Contributor

    @tonnerre33 Thanks, i solved it already, but you are right that was my Problem šŸ™‚



  • I have ordered 10 HTSHA chips for my system and have a question about using them with the pi.....Do I need to add the ATSHA chip to the raspberry pi gateway (with nrf24l01+ directly attached)? If so how to wire it up? If not, how does it work?

    Thanks! šŸ˜‰



  • Hi everybody šŸ™‚
    Where I find information step by step how to run signing/security with one sensor and raspbery pi gateway and use mqtt (software signing without chip ATSHA)? I try understand this post, but I have problem.. I test example code but always my gw get normal information..


  • Contest Winner



  • @Anticimex I read all text and I understand that I have add forth line to all my sensors.:
    #define MY_SIGNING_SOFT
    #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
    #define MY_SIGNING_REQUEST_SIGNATURES
    #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = MOTION_SENSOR_ID,.serial = {0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78}}}

    In my gateway i must use this comand:
    ./configure --my-gateway=mqtt --my-controller-ip-address=127.0.0.1 --my-mqtt-publish-topic-prefix=mysensors-out --my-mqtt-subscribe-topic-prefix=mysensors-in --my-mqtt-client-id=mygateway1 --my-signing=software --my-signing-debug --my-signing-request-gw-signatures-from-all --my-mqtt-password=PASSWORD --my-mqtt-user=USER

    1. but I do not understand wher I create white list in gateway?
    2. how create serial for my mensors (eg. {0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78})?
    3. how to check if everything is working?
    4. how to use HMAC (how to create in my sensor, where save)?

  • Contest Winner

    @macvictor the raspberry specific things you need to check with @marceloaqno about, the other questions really are all answered in the link I sent.



  • @Anticimex Ok. I read again this text. I have next question..

    1. I generated SOFT_HMAC_KEY, SOFT_SERIAL, AES_KEY in my gateway, so when I run SecurityPersonalizer.ino i must save this value from gw in MY_SOFT_HMAC_KEY, MY_SOFT_SERIAL, MY_AES_KEY or generate other value and save? Probably AES must by the same.. MY_SOFT_SERIAL is 'serial' in WHITELISTING so i think this must by different in node and gateway, and what with HMAC? I think that the HMAC must be the same..
    2. I looked for information where save whitelist in gw but i didn't found.. can you help my find solution?
    3. If I use for example 2 nodes-relays, 2 nodes-temperature and gateway. All relays communicate only with gateway but all are repeater. All node-temperature sensor connect with relay, so in nodes-relay in white list i must add temperature serial and gw serial. In temperature I does't add white list, in gateway I add relay and temperature nodes serial. That is all?

    PS. Thank you for you help šŸ™‚


  • Contest Winner

    @macvictor

    1. Quotes from the documentation (link I sent):
      "In case you want to be able to "whitelist" trusted nodes (in order to be able to revoke them in case they are lost) you also need to take note of the serial number of the ATSHA device or the software value stored in EEPROM. This is unique for each device."
      "That mean that all nodes in your network share the same PSK" (this goes for both HMAC and AES (if you use encryption)).
    2. There is no difference. You specify your whitelists the same way in both gateway and nodes. Of course you have to have different whitelists but the format and way of storage is identical.
    3. All signing is end to end. Your nodes communicate with your gateway. It does not matter if they are relayed 50 times on the way to the gateway. Therefore, whitelists in gateway and node use the serial from the other part (gateway or node).
      Your relays are also nodes. If you send data explicitly to these nodes, you also need the serial for those (if you want signed communication with them) but your temp sensors and your gateway talk to each other. Signing does not care about relays.
      So you do NOT need to add gw and temperature serials to your node-relays just to have your gw and temperature sensors communicate with each other. You do not even have to enable signing in your relays. They are (possibly) just that; relays.
      Of course, this mean that you have to have your gw serial in your temperature node whitelist, and vice versa (if you use two way signing).


  • Hi Guys,
    Long time reader and first time poster.
    Now a general disclaimer, I'm only fairly new to the IoT world of home automation sensors and am looking at the crypto side of signing devices as I thought if I'm going to do it, I'm going to do it right from the start with signing and utilizing OTA abilities.

    I have a quick question regarding the ATSHA204 component. I know that the SenseBender uses a ATSHA204-STUCZ (the Single-Wire interface config) but I can't get these sourced through my normal supplier.

    I am able to source ATSHA204A-SSHDA-B though, and was wondering if this would work instead, even though it's an I2C interface config instead. If not, how much work is involved to get it to work?

    Thanks Heaps


  • Contest Winner

    @egadgetjnr hi and welcome to the forum! It will require some work as the current driver only handles single wire interface and the I2C support in the chip has special requirements in the bus for sleep/wake states. I don't know how much work exactly is needed but it will not be insignificant.
    Also, what sources have you checked? It should be possible to source the single write variant online without problem.



  • @Anticimex said in šŸ’¬ Security & Signing:

    Also, what sources have you checked? It should be possible to source the single write variant online without problem.

    Thanks heaps for your prompt reply!

    I've looked at Mouser and Digi-Key and they have a $60 minimum for free postage (I don't want to order 100 for free shipping at this stage obviously as I'm only prototyping) and I can't bring myself to spending $25 on shipping for around $5.00 of modules šŸ˜¦.
    Which leaves me with my normal supplier of Element14 (formally Farnell) where I get free shipping regardless of order quantity. šŸ˜‰ but they don't source the Single-Wire ones at all.

    I was going to put a post over on the OTA Flash forum as well as I'm having issues sourcing the AT25DF512C (it's been discontinued) and was looking at an ATAES132A (Datasheet <here> using an SPI interface) as I accidentally ordered some of them for another project and thought maybe it would be possible to combine both the security signing and OTA flash in the one component (Which is a HUGE assumption as to its use). As mentioned earlier, I'm still fairly new to the engineering side of hardware so I may be way off the mark.


  • Hardware Contributor

    @egadgetjnr where dit u come from?


  • Contest Winner

    @egadgetjnr Ok, well, if you are up to it, feel free to make a PR with I2C support. I do not have the bandwidth to implement that myself I am afraid, and I don't feel the gains are worth the efforts. I2C will put constraints on which pins to use, and of course it would also require two pins and not one.
    But I happily review any pull requests on the topic. If we get the support, it is just a bonus šŸ™‚

    Regarding flash, it is not crucial that you get the exact same part (or even the same supplier). The important thing is that the interface is the same and that they share the same JEDEC identifier.



  • I had exactly the same issue. This UK eBay store sells them per 5. Not sure what they'll ask for sending them across the ocean.
    I got them from here (4 days from UK to NL). Got one up in my gateway and that works with a soft signing node. Should be good.



  • Just to be sure: SOFT_HMAC_KEY, SOFT_SERIAL is used for signing, AES_KEY is used for encryption. SOFT_HMAC_KEY, AES_KEY should be the same across all network nodes, SOFT_SERIAL should be different for every node?


  • Contest Winner

    @bilbolodz this is quite clearly stated in the documentation, but in short yes. But AES and HMAC key should not be the same, as the encryption is not using initialization vectors so the key can be derived from analyzing the encrypted messages by someone with the adequate knowledge.



  • I'm trying to start play with ATSHA204A signing. I've ATSHA204A-SSHCZ-T chip (8-lead SOIC single wire). I've connected chip pins: 4 - GND, 8 - VCC (5v), 5 - A3, I've added 100nF between 4 and 8 and 4K7 resistor between 5 and 8. I've loaded "near clear" SecurityPersonalizer sketch (only added #define MY_SIGNING_ATSHA204_PIN A3 #define MY_SIGNING_ATSHA204) but I've got:

    Personalization sketch for MySensors usage.

    Failed to wake device. Response: E7
    Halting!

    any ideas?


  • Contest Winner

    @bilbolodz hm, no. I have not tested on a 8-lead device. Should not be a difference but I can neither deny nor confirm. My best suggestion would be to have a look with an oscilloscope on the wire to confirm that the signal quality is good.



  • Is SIGNING a RFM69_ENABLE_ENCRYPTION replacement? If so is it a better or worse solution? Maybe RFM69_ENABLE_ENCRYPTION is enough?


  • Mod

    @melwinek encryption and signing have very different purpose.

    Signing prevents other people from sending messages to control your nodes. Without signing, anyone with the right skill or software can take control of your nodes.

    Encryption tries to hide the contents of the messages between your nodes. That does not prevent people from taking control of your nodes.


  • Contest Winner

    @melwinek signing and encryption are two completely different things. And they can be enabled at the same time if so desired. Signing provides authentication and encryption provides obscurity.



  • @Anticimex, @mfalkvidd But with the use of encryption so easily no one will take control, must break the code.
    So it is best to simultaneously encrypt (eg RFID tag serial number when opening the gate) and sign (eg gate open message)?


  • Contest Winner

    @melwinek what prevents anyone from copying your encrypted message and record it. And then later send the same thing?
    Encryption provides obscurity. You need signing for authentication. Signed messages cannot be repeated because they are always unique. Encryption does not necessarily guarantee that.



  • @bilbolodz I am getting the same message with a Sensebender Micro. I configured it for soft-signing with LOCK_CONFIGURATION enabled. Now I wanted to switch to hardware based signing.

    Any way to unlock a locked configuration?


  • Contest Winner

    @t3chie there is no configuration to lock for soft signing. Configuration locking only applies to atsha204a. And if locked it cannot be unlocked. And normally you shouldn't need to either as the default settings set are the one to use, and unless you have been very creative in hacking the personalizer that configured should work just fine.



  • @Anticimex I tested first with softsigning but shortly after this realized that with soft signing the Sensebender has not enough space for debug messages.
    I rerun the personalizer to switch to hardware based signing and hit the "Failed to wake device. Response: E7" message.
    Played around and found that

    #define MY_SIGNING_ATSHA204_PIN 17
    instead of
    #define MY_SIGNING_ATSHA204_PIN 4

    made the personalizer happy again. I am still fighting with getting signing to work. Setting #define MY_SIGNING_REQUEST_SIGNATURES and MY_SIGNING_GW_REQUEST_SIGNATURES_FROM_ALL did not get me going.


  • Contest Winner

    @t3chie I assume you have personalized nodes and gw with the same hmac key?


  • Contest Winner

    @t3chie also that you also defined the signing enabled flag on all participants (but I think you get a preprocessor error if you don't)



  • Is it possible to use the ATSHA204A along with the Rpi directly attached NRF24L01+ gateway? I can see how to attach the ATSHA to the nodes, but how to attach it to the pi?
    Thank you.


  • Contest Winner

    @skywatch no, not to my knowledge. The atsha driver is Arduino specific. I would happily review a pull request that ports the bit banged driver for Linux though šŸ™‚


  • Contest Winner

    @skywatch the use case for atsha204a backed signing on rPi is limited though. As it is used as I gw (I presume) it is considered "protected" and is less sensitive for key dumping.



  • Thank you for the quick response. Maybe i mis-understand this?
    I have got 10 ATSHA chips that I would like to attach to arsuino nodes to use with a raspberry pi based gateway/controller combo. Do I therefore need to attach the ATSHA to the rpi, or could I still use the ATSHA hardware on the arduinos without an ATSHA attached to the rpi?
    I had assumed that the atsha chip would be needed at both ends for signing to work. Maybe that's not how it works?


  • Contest Winner

    @skywatch no, the software port is fully compatible with the atsha204a. So you can use Arduino nodes with atsha204a and they will work just fine with your rPi with software signing. Just as long as they all use the same hmac key.


  • Hardware Contributor

    I'm hoping that I did done all ok.
    I've personalized the Arduino that acts as Gateway (connected via USB to a Raspberry PI) and I've personalized first node (a DHT22).
    Both with software signature.

    This is the cat from Raspberry / Gateway Arduino:

    0;255;3;0;9;TSF:MSG:READ,3-3-0,s=0,c=3,t=16,pt=0,l=0,sg=1:
    0;255;3;0;9;Skipping security for command 3 type 16
    0;255;3;0;9;SHA256: 37FA7FD8F19D55E99C952F467E45D9A7439AAAAAAAAAA                                                                             AAAA
    0;255;3;0;9;Skipping security for command 3 type 17
    0;255;3;0;9;TSF:MSG:SEND,0-0-3-3,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:37FA7F                                                                             D8F19D5CE9A07E95992C45D9A7439
    0;255;3;0;9;Transmitted nonce
    0;255;3;0;9;TSF:MSG:READ,3-3-0,s=0,c=1,t=1,pt=7,l=5,sg=1:59.3
    0;255;3;0;9;Signature in message: 010F55F31D04DBFCA0AFC7E139475
    0;255;3;0;9;Message to process: 03033336D4201
    0;255;3;0;9;Current nonce: 37FA7FD8F19D55E99C955992C45D9A7439AAA                                                                             AAAAAAAAAAA
    0;255;3;0;9;HMAC: B50F55F31D04DBFFC7E139475D91093F0A1EABB174B86E9                                                                             E9
    3;0;1;0;1;59.3
    0;255;3;0;9;TSF:MSG:READ,3-3-0,s=2,c=3,t=16,pt=0,l=0,sg=1:
    0;255;3;0;9;Skipping security for command 3 type 16
    0;255;3;0;9;SHA256: 803B7127EB3B049768C59D328C89862FF731AAAAAAAAAA                                                                             AAAA
    0;255;3;0;9;Skipping security for command 3 type 17
    0;255;3;0;9;TSF:MSG:SEND,0-0-3-3,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:803B71                                                                             27EB3D0DED839579D328C89862FF731
    0;255;3;0;9;Transmitted nonce
    0;255;3;0;9;TSF:MSG:READ,3-3-0,s=2,c=1,t=38,pt=7,l=5,sg=1:3.42
    0;255;3;0;9;Signature in message: 010E8B790708A39930F73D511F48DAECA
    0;255;3;0;9;Message to process: 03002E23BAE5A4002
    0;255;3;0;9;Current nonce: 803B7127EB3D0DED83957BB5C59D328C89862FF731AAA                                                                             AAAAAAAAAAA
    0;255;3;0;9;HMAC: D10E8B79D511F48DAECAFB4A3D89F553A2DDB26F1614
    3;2;1;0;38;3.42
    

    and so on...

    This is the Pro MIni serial console:

    T: 28.00
    1023
    Battery Voltage: 3.44 V
    Battery percent: 102 %
    40413 Skipping security for command 3 type 16
    40421 TSF:MSG:SEND,3-3-0-0,s=2,c=3,t=16,pt=0,l=0,sg=1,ft=0,st=OK:
    40429 Nonce requested from 0. Waiting...
    40546 TSF:MSG:READ,0-0-3,s=255,c=3,t=17,pt=6,l=25,sg=1:9CC096EF18295BEFAC43638CA2673A1D759B0CEC6E49C3E060
    40558 Skipping security for command 3 type 17
    40562 Nonce received from 0.
    40564 Proceeding with signing...
    Message to process: 03002EF24002
    Current nonce: 9CC096EF18295BEFA59B0CEC3E060AAAAAAAAAAAAAA
    HMAC: 5D8E8A59EF1420406004E1318A650686E19E3A8
    Signature in message: 018E8A5BD166D106004E
    40740 Message signed
    40749 Message to send has been signed
    40755 TSF:MSG:SEND,3-3-0-0,s=2,c=1,t=38,pt=7,l=5,sg=1,ft=0,st=OK:3.44
    40763 Skipping security for command 3 type 16
    40769 TSF:MSG:SEND,3-3-0-0,s=255,c=3,t=16,pt=0,l=0,sg=1,ft=0,st=OK:
    40777 Nonce requested from 0. Waiting...
    40900 TSF:MSG:READ,0-0-3,s=255,c=3,t=17,pt=6,l=25,sg=1:1C17F1A31D500CB0E840B7214BE961E
    40910 Skipping security for command 3 type 17
    40916 Nonce received from 0.
    40919 Proceeding with signing...
    Message to process: 03000E66
    Current nonce: 1C17FE25D7B26441A31D961EAAAAAAAAAAAAAA
    HMAC: D5992FF4CFB6238CD4062397EEE986F47E0BD65020F39C18662
    Signature in message: 01992FF4CFB6238C0FDA62397EEE986F47E0
    41095 Message signed
    41101 Message to send has been signed
    41109 TSF:MSG:SEND,3-3-0-0,s=255,c=3,t=0,pt=1,l=1,sg=1,ft=0,st=OK:102
    41115 MCO:SLP:MS=5000,SMS=0,I1=255,M1=255,I2=255,M2=255
    41121 MCO:SLP:TPD
    

    Are they secure communicating? šŸ™‚

    PS I did delete some chars from the HMAC, nonces, etc etc šŸ˜„


  • Contest Winner

    @sineverba the best way to determine that is to see if the messages you send arrive šŸ™‚ if you enable signing and require signatures, unsigned or incorrectly signed messages will be rejected.
    I see no errors in the log so it seems it works. The logs however don't match up. The hmac:s in one log does not match the hmac:s in the other.


  • Hardware Contributor

    @Anticimex
    I can assure you that messages, nonces, hmacs and signatures are exactly the same in console gateway and in console of arduino mini.
    I did delete some chars before posting for.... security (?) šŸ˜„
    Thank you for your answer!


  • Contest Winner

    @sineverba why did you delete them? There is nothing secret about them. They are sent over your radio link so they are to be considered very public, or signing wouldn't be useful, would it? šŸ˜‰


  • Hardware Contributor

    @Anticimex
    I understand šŸ™‚
    The last thing: what's the sense of this message:

    Skipping security for command 3 type 17
    

    ?

    Thank you!


  • Contest Winner

    @sineverba it means that message is not signed. Because it is of a type not suitable for signing. Typically an ack or a handshake message. You can look the type up in the api specification. In this case it is a handshake message (a nonce reply to be precise).



  • Hello!! I'm also trying to implement SOFT Signature, but because of my poor English I have many problems !!
    Someone could post the socket of a node + a working MQTT gateway.

    So you can study the code and understand how it works !!!

    Thanks 1000 in advance to who can help me


  • Contest Winner

    @sindrome73 There is no difference for a MQTT gw than from other GW:s. There are code examples in the documentation. See this post and follow the Doxygen links.



  • As I said, my English is not good and therefore it is difficult for me to follow the discussions.

    That's why I was asking for a snapshot already done, in order to study the code and understand how to solve ....
    Ā  If anyone can help me ????


  • Contest Winner

    @sindrome73 I am afraid it will be difficult to help if you can't read the code. There is code in the documentation, and you ask for code? There is also a sequence of steps required to do personalization, so you have to be able to understand english to some extent, or find someone who can translate for you.

    If it helps, I have pasted the code here in case you for some reason can't find it (I assume you use a official 2.0 release):

    How to use this

    Before we begin with the details, I just want to emphasize that signing is completely optional and not enabled by default. If you do want the additional security layer signing provides, you pick the backend of your choise in your sketch. Currently, two compatible backends are supported; MY_SIGNING_ATSHA204 (hardware backed) and MY_SIGNING_SOFT (software backed). You can either enable these globally in MyConfig.h or in your sketch for sketch specific/local use.

    Firstly, you need to make sure to pick a backend to use as described above.

    //#define MY_SIGNING_SOFT
    #define MY_SIGNING_ATSHA204
    #include <MySensors.h>
    ...
    

    Make sure to set the define before the inclusion of MySensors.h. It is legal to mix hardware- and software-based backends in a network. They work together.

    You also need to decide if the node (or gateway) in question require and verify signatures in addition to calculating them. This has to be set by at least one of the node in a "pair" or nobody will actually start calculating a signature for a message. Just set the flag MY_SIGNING_REQUEST_SIGNATURES and the node will inform the gateway that it expects the gateway to sign all messages sent to the node. If this is set in a gateway, it will NOT force all nodes to sign messages to it. It will only require signatures from nodes that in turn require signatures. If it is desired that the gateway should require signatures from all nodes, MY_SIGNING_GW_REQUEST_SIGNATURES_FROM_ALL can be set in the gateway sketch.
    If you want to have two nodes communicate securely directly with each other, the nodes that require signatures must send a presentation message to all nodes it expect signed messages from (only the gateway is informed automatically). See signerPresentation().
    A node can have three "states" with respect to signing:

    Node does not support signing in any way (neither MY_SIGNING_ATSHA204 nor MY_SIGNING_SOFT is set)
    Node does support signing but don't require messages sent to it to be signed (MY_SIGNING_REQUEST_SIGNATURES is not set)
    Node does support signing and require messages sent to it to be signed (MY_SIGNING_REQUEST_SIGNATURES is set)

    Secondly, you need to verify the configuration for the backend.
    For hardware backed signing it is the pin the device is connected to. In MyConfig.h there are defaults which you might need to adjust to match your personal build. The setting is defined using MY_SIGNING_ATSHA204_PIN and the default is to use pin A3.
    Similar to picking your backend, this can also be set in your sketch:

    #define MY_SIGNING_ATSHA204
    #define MY_SIGNING_ATSHA204_PIN 4
    #define MY_SIGNING_REQUEST_SIGNATURES
    #include <MySensors.h>
    ...
    

    For the software backed signingbackend, an unconnected analog pin is required to set a random seed for the pseudo-random generator. It is important that the pin is floating, or the output of the pseudo-random generator will be predictable, and thus compromise the signatures. The setting is defined using MY_SIGNING_SOFT_RANDOMSEED_PIN and the default is to use pin A7. The same configuration possibilities exist as with the other configuration options.

    Thirdly, if you use the software backend, you need to personalize the node (see personalization).

    #define MY_SIGNING_SOFT
    #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
    #define MY_SIGNING_REQUEST_SIGNATURES
    #include <MySensors.h>
    ...
    

    An example of a node that require signatures is available in SecureActuator.ino.


  • Hardware Contributor

    #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
    

    I image not, but... the pin need to be to same in every node?

    And.. will the library auto manage the PIN (in this case the #7) rendering it floating or need to explicity set it as INPUT on sketch?

    Thank you!


  • Contest Winner

    @sineverba It is assumed that you do any configurations in your sketch, before including MySensors.h so no, it does not need to be the same on every node. It just need to be left unconnected. And yes, the library takes care of the rest.


  • Mod

    The pin does not need to be the same.

    The library will set it to the required mode, there is no need to do anything in the sketch.



  • Hi
    I have a gateway mysensors on my RPI3 with radio RFM69HW. Is any chance to build gateway on RPI3 but also with chip ATSHA204A ? And how build it...


  • Contest Winner

    @pepson the driver has not been designed with rPi in mind. And you'd probably be better off with an I2C variant for rPi. But we currently don't offer a driver for that so you'd have to write it yourself.
    But, for a gw, you typically keep those secured physically, so using a atsha device is less important, compared to "roaming" nodes.



  • @anticimex
    I don't understand. I want secure my nodes... By Atsha204a. How I can secure it by other solution.


  • Contest Winner

    @pepson I have implemented a sw emulator for the atsha which offers compatible security infrastructure but without readout protection. Readout protection is needed if someone steals your node and extracts your hmac key. Your gw won't typically be stolen, so it don't need readout protection and can rely on the soft signing option which is compatible with nodes using atsha204a personalized with the same hmac key. The rPi port support the atsha204a emulator so you can use that to secure nodes that has a real atsha204a device.



  • @anticimex

    Can you show me full manual how implement it on Gateway on RPI and how add this to sketch on nodes ? Please...
    If you can describe me very good. I am begginer...


  • Contest Winner

    @pepson you have the links to the documentation in the article this thread is commenting on. At the very top.



  • @anticimex
    But please show me as you have to have example...


  • Contest Winner

    @pepson I don't run on raspberry pi so I don't. But the documentation does have specific configuration examples for raspberry pi, so you have all information needed listed there in "how to use this" section.


  • Hardware Contributor



  • @sineverba
    Very very good manuals...
    But i dont understand what i must type number in this placeand how get it ? It is MAC number network from RPI ?:

    #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0Xaa,0Xbb,0Xcc,0XF9,0X82,0XB2,0X50,0XF2,0XAB}}} // got from gateway setup

    And what is diffrent with MySensors 2.3.0 ?
    I must do all point from MySensors 2.2.0 and additional point for 2.3.0 ?

    After got your ./configure instruction, type
    sudo nano /etc/mysensors.conf
    And add your KEYs to the specific section on bottom of the file.
    To get your first KEYs follow guide for 2.2.0

    And in version 2.3.0 i must do this under building gateway ?

    And add serial,HMAC,AES in this place in mysensors.conf

    Software signing settings

    Note: The gateway must have been built with signing

    support to use the options below.

    To generate a HMAC key run mysgw with: --gen-soft-hmac-key

    copy the new key in the line below and uncomment it.

    #soft_hmac_key=

    To generate a serial key run mysgw with: --gen-soft-serial-key

    copy the new key in the line below and uncomment it.

    #soft_serial_key=

    Encryption settings

    Note: The gateway must have been built with encryption

    support to use the options below.

    To generate a AES key run mysgw with: --gen-aes-key

    copy the new key in the line below and uncomment it.

    #aes_key=

    and then build gateway ?


  • Hardware Contributor

    @pepson You use RFM69(H/W/HW). So I. My hint is remain with 2.2.0. I got so many issues with 2.3.0 and RFM that I reverted to 2.2.0 in 1 minute.

    HMAC is not LAN MAC, is HMAC got from MYsensors gateway. Same for other 2 keyes.

    I think that in long explain on my guide you have all info to get your keyes. I follow my same guide everytime I need to reinstall mysensors / domoticz / an entire PI. It is fully tested šŸ™‚



  • @sineverba
    Hi
    Yes i use radio RFM69HW. I also on 2.3.0 have big problem... and back to 2.2.0. What you have problem on 2.3.0 with radio RFM69 ?

    I read all your guide and it is ok. But i dont know what i must put in place:
    #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0Xaa,0Xbb,0Xcc,0XF9,0X82,0XB2,0X50,0XF2,0XAB}}} // got from gateway setup

    Put serial from this:
    sudo mysgw --gen-soft-serial-key

    We will get:

    SOFT_SERIAL | 7850987FA6601F6538

    The next line is intended to be used in SecurityPersonalizer.ino:
    #define MY_SOFT_SERIAL 0X78,0X50,0X98,0X7F,0XA6,0X60,0X1F,0X65,0X38

    To use this key, run mysgw with:
    --set-soft-serial-key=7850987FA6601F6538

    And i must put my keys to mysensors.conf when i use version 2.2.0 ? Or only when use 2.3.0 ?

    Software signing settings
    Note: The gateway must have been built with signing
    support to use the options below.
    To generate a HMAC key run mysgw with: --gen-soft-hmac-key
    copy the new key in the line below and uncomment it.
    #soft_hmac_key=

    To generate a serial key run mysgw with: --gen-soft-serial-key
    copy the new key in the line below and uncomment it.
    #soft_serial_key=

    Encryption settings
    Note: The gateway must have been built with encryption
    support to use the options below.
    To generate a AES key run mysgw with: --gen-aes-key
    copy the new key in the line below and uncomment it.
    #aes_key=

    or only send command

    sudo mysgw --set-soft-serial-key=7850987FA6601F6538 && sudo mysgw --set-aes-key=768859210B4A75FACC78B757ADAFE75B && sudo mysgw --set-soft-hmac-key=0298FF121DD3194BCC33DC8185055B9D981EBE0A90D847A4777A9E65CCE4F524 ?


  • Hardware Contributor

    @pepson

    Too many ack lost and slow communication. And other that I don't remember.

    That line on the sketches means that you need add on the node that you want whitelist the serial of gateway.

    You got serial gateway on the steps for 2.2.0.

    You have it.

    You don't need to put anything in no file with 2.2.0. In my guide is NOT mentioned. In my guide, at the bottom, there is the final "set keyes" with only a line OR you can set them everytime you get them.

    Please, take your time to read 1, 2, 3 times before type anything. I think it is very clear, and every step is write down for you.

    šŸ˜‰ Enjoy šŸ™‚

    PS Don't offend, I want help you, 'cause I used a bit of times before getting security working. And I used so many time write down a guide. But you need to read and follow carefully



  • @sineverba I also have the same problem with communication. But tell me you send issue to developer ? I send but nothing done.

    Ok in point 4 in your guide in sketch for node i must put serial key from gateway ? Yes ?

    And tell me how remove setup serial, HMAC and AES when i dont want to use it ? How remove it from gateway ?
    Thanks



  • Any help ?


  • Hardware Contributor

    @pepson no need to remove. Simply, in your sketches, don't use signing at all.



  • @sineverba said in šŸ’¬ Security & Signing:

    no need to remove. Simply, in your sketches, don't use signing at all.

    ok but if on gateway it was generate and setup keys and when in skethces i dont use keys will nody connect? and what the purpose of the signature is then ?
    I thought that if the gate has a set of keys and will try to connect noda without a key that it will not connect ....


  • Hardware Contributor

    @pepson you can use a special flag define to "downgrade/reduce" security MY_WEAK_SECURITY



  • @sineverba

    Ok summary
    When i have setup on Raspberry Gateway , generate keys.

    When i write in node all keys with sketches.... Node connect ok.

    But when write to node only sketches without keys.,... node connect to gateway or not connect to gateway ?


  • Hardware Contributor

    @pepson you need to setup gateway with weak security.

    You need generate keyes and set in gateway.

    You need to personalize nodes with the sketch and set keyes on Arduino EEPROM.

    From now, you have two ways: Your node need security? Set use security bla-bla on top with other define(s).

    Don't Need security? Don't define use security.

    Simpler than ever.


  • Contest Winner

    @pepson if you find the security setup to be too complicated, I highly recommend sticking with the simple password flags. The documentation has it all.



  • @sineverba said in šŸ’¬ Security & Signing:

    setup gateway with weak security.

    But when configure my gateway without flag setup gateway with weak security i can only use nodes with setup in sketches keys. yes ?



  • @anticimex

    Can you share me this document when is describe how define only pass ? I want also read this.


  • Hardware Contributor

    @pepson

    Let's summarize. Last time.

    1. compile gateway with weak security (make your research, also in my github guide, there is šŸ˜‰ )
    2. create the 3 keyes for gateway
    3. set the 3 keyes for gateway.
    4. clean your EEPROM arduinos with the sketch present in my guide and in examples of library
    5. set the keyes in EEPROM arduinos.

    Stop. End. Fin. Fine. These steps are MANDATARY. You NEED to do.

    You will have in EEPROM the keyes (arduino) and in gateway.

    From now, you select:

    a) Do I need security? Perfect, in sketch arduino add #define bla bla bla on top with security and other stuff.
    b) Do I NOT need security? Perfect, in sketch arduino DON'T ADD #define bla bla related to security.


  • Hardware Contributor

    @pepson And, last all, you can use the mysensors debug options. Try. Try. Try! This is the best option offered to you to learn. Try!
    At max, nothing works šŸ˜‰



  • @sineverba
    ok all is very good.

    But what give me this if i can connect nodes also with defines bla bla bla in skethc and also without define bla bla bla in sketch?
    But Do I think right ? In each of these accidents in the eeprom I need to have the keys loaded?


  • Hardware Contributor

    @pepson only one word. Try. Really, you are lost in 1 cm of water. Try. And if it doesn't work, open your topic, showing exactly your sketches and what have you done.



  • ok thanks



  • Ok i build my gateway on RPI on MySensors 2.2.0 with this configuration:

    ./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-signing=software --my-signing-request-signatures

    Then generate 3 key and setup it on gateway.

    Then clear_epprom on Arduino MIni Pro, and then send sketch security with add serial, HMAC, and AES. Then put sketch with add this on top sketch with my SERIAL generated on gateway RPI.

    #define MY_SIGNING_SOFT
    #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
    #define MY_SIGNING_REQUEST_SIGNATURES
    #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X2C,0X61,0X17,0X2E,0XEE,0XDD,0XCC,0XBB,0XAA}}} // got from gateway setup

    After that i run HA and he not found my nodes...
    WHat is wrondg ?


  • Contest Winner

    @pepson well for starters, don't start out with whitelisting unless you know exactly what you are doing. First you have to verify that your network is stable enough to handle the security protocol. The simplest option is to only enable encryption, or use the simple password flag options. Once you have established that your gw and nodes are capable of communicating securely you can move on to personalization and whitelisting.



  • @anticimex
    What you mean white list?

    Before adding all security my nodes and gateway works perfect.


  • Contest Winner

    @pepson you define whitelisting so I presume you use it. But I don't see your gw flags specifying it so of course it does not work. So get rid of that flag from your config unless you know what it mean so that you set it up properly.



  • @anticimex

    What flag i must remove ?
    This :
    #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X2C,0X61,0X17,0X2E,0XEE,0XDD,0XCC,0XBB,0XAA}}} // got from gateway setup

    But on GW i setup this:
    sudo mysgw --set-soft-serial-key=2C61172EEEDDCCBBAA && sudo mysgw --set-aes-key=9D2AD43CF909875C4C77111111111111 && sudo mysgw --set-soft-hmac-key=A2A64C48EA6765C5DAEFA12A1E41E2F038515A9CAED9FED73D11111111111111


  • Contest Winner

    @pepson please just read the documentation. And more importantly, follow it.
    Isn't it obvious that it is the flag that mention whitelisting that is supposed to be removed unless you intend to use whitelisting, in which case you ought to know how to set it up properly at both ends?



  • @anticimex

    Sorry i dont undestand


  • Contest Winner

    @pepson https://www.mysensors.org/apidocs/group__MySigninggrpPub.html

    Note that it is the documentation for the latest release (simple password flags work differently compared to previous releases, see release notes for the latest release).



  • HI
    i don as describe...

    1. install gateway on raspberry with this configuration:
      ./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-leds-err-pin=12 --my-leds-rx-pin=16 --my-leds-tx-pin=18 --my-signing=software --my-signing-request-signatures --my-signing-weak_security --my-signing-debug

    and then generate serial, aes and hmac

    pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-serial-key
    SOFT_SERIAL | 8FC828503E6EB14C5D

    The next line is intended to be used in SecurityPersonalizer.ino:
    #define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D

    To use this key, run mysgw with:
    --set-soft-serial-key=8FC828503E6EB14C5D
    pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-hmac-key
    SOFT_HMAC_KEY | 0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514

    The next line is intended to be used in SecurityPersonalizer.ino:
    #define MY_SOFT_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14

    To use this key, run mysgw with:
    --set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
    pi@raspberrypi:~/MySensors $ sudo mysgw --gen-aes-key
    AES_KEY | 8FDB1EE8D0351CFF874D337731BF37AE

    The next line is intended to be used in SecurityPersonalizer.ino:
    #define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE

    To use this key, run mysgw with:
    --set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE
    pi@raspberrypi:~/MySensors $

    and setup it on my gateway

    sudo mysgw --set-soft-serial-key=8FC828503E6EB14C5D && sudo mysgw --set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE && sudo mysgw --set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514

    all is ok to this moment

    Then

    1. clear eeprom in node Arduino pro mini with this sketch:
      https://github.com/sineverba/domoraspi/tree/master/utils/sketches
    2. write sketch security with setup my serial, aes and hmac

    https://github.com/sineverba/domoraspi/tree/master/utils/sketches

    at the top setup...
    /************************************ User defined key data ***************************************/

    /** @brief The user-defined HMAC key to use unless @ref GENERATE_HMAC_KEY is set */
    //#define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    #define MY_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14

    /** @brief The user-defined AES key to store in EEPROM unless @ref GENERATE_AES_KEY is set */
    //#define MY_AES_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    #define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE

    /** @brief The user-defined soft serial to use for soft signing unless @ref GENERATE_SOFT_SERIAL is set */
    #define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D

    /***************************** Flags for guided personalization flow ******************************/

    1. then write my sketch relay with added at the top this info:

    #define MY_SIGNING_SOFT
    #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
    #define MY_SIGNING_REQUEST_SIGNATURES
    #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D}}} // got from gateway setup

    and now on my Home assistant in file
    /home/homeassistant/.homeassistant/mysensors.json

    found my node but wthout full information like name....
    {
    "0": {
    "battery_level": 0,
    "sketch_name": null,
    "sketch_version": null,
    "children": {},
    "type": 18,
    "protocol_version": "2.2.0",
    "sensor_id": 0
    },
    "33": {
    "battery_level": 0,
    "sketch_name": null,
    "sketch_version": "1.0",
    "children": {
    "1": {
    "type": 3,
    "id": 1,
    "values": {
    "2": "1"
    },
    "description": ""
    }
    },
    "type": 17,
    "protocol_version": "2.2.0",
    "sensor_id": 33
    }
    }

    and in Home Assistant is not show in devices this node. Not found it.
    What i done wrong ?


  • Contest Winner

    @pepson said in šŸ’¬ Security & Signing:

    MY_SIGNING_NODE_WHITELISTING

    How many times do I need to tell you to get rid of the whitelisting flag?



  • @anticimex
    Ok read... but...
    when i use MY_SIGNING_NODE_WHITELISTING i must on node in sketch add serial number my gateway and also serial number for node. But from where i can get serial number for my arduino pro mini ? I dont know...becasue i don use ATSHA204 but i use only soft signing....


  • Hardware Contributor

    @pepson This is the serial OF GATEWAY. Not your Arduino. You need to put serial of GATEWAY.

    Please, first of all, DONT' USE WHITELISTING. And pay attention: if you enabled it, remove it and:

    1 - clear eeprom
    2 - flash eeprom with keyes
    3 - reload sketch (without whitelisting)


  • Hardware Contributor

    @pepson Don't need all copy and paste, enough link :).

    Btw, before move to Home Assistant, where is the output of debug of MySensors?

    sudo mysgw -d

    Of course, you need before stop service.

    Resetting the node, what you get in debug?

    When ALL ok, move to HomeAssistant.

    And remember, after check that debug is ok...

    sudo make install && sudo systemctl enable mysgw.service && sudo systemctl start mysgw.service



  • In my first time I use only serial number gateway in flag whitelistening and also not working.


  • Hardware Contributor

    @pepson Last time. Please.
    REMOVE
    WHITELISTING
    FROM
    YOUR
    SKETCH

    Clear EEPROM and paste here output of debug. No other.



  • @sineverba
    OK wait for info



  • @pepson

    Ok i removed Whitelisting and switch is show in Hoem Assistant and works.

    pi@raspberrypi:~/MySensors $ sudo ./bin/mysgw -d
    mysgw: Starting gateway...
    mysgw: Protocol version - 2.2.0
    mysgw: MCO:BGN:INIT GW,CP=RPNGLS--,VER=2.2.0
    mysgw: SGN:PER:OK
    mysgw: SGN:INI:BND OK
    mysgw: TSF:LRT:OK
    mysgw: TSM:INIT
    mysgw: TSF:WUR:MS=0
    mysgw: TSM:INIT:TSP OK
    mysgw: TSM:INIT:GW MODE
    mysgw: TSM:READY:ID=0,PAR=0,DIS=0
    mysgw: MCO:REG:NOT NEEDED
    mysgw: Listening for connections on 0.0.0.0:5003
    mysgw: MCO:BGN:STP
    mysgw: MCO:BGN:INIT OK,TSP=1
    mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
    mysgw: !SGN:VER:NSG
    mysgw: !TSF:MSG:SIGN VERIFY FAIL
    mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
    mysgw: SGN:BND:NONCE=44E4127024F4EB1003DCBF3701D8469E4664CC454E2A20A257AAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=E1EE2D4046FEF0AEC323AA737A8367A2F290CCEFB7A4663448AD0B155FFD5A74
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
    mysgw: SGN:BND:NONCE=4AD7D9430FA96BBD0B18D4F57480F009BE31C6F3821F182766AAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=3AADB41A42B91C0B2137BE2C2C76F57E3ADB7082F3669DECCA85B993C955D36E
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
    mysgw: SGN:BND:NONCE=B272E537F5C6DAF21A0C5042078EFCFD3A02B5C61F698792AAAAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=5AF82BD16724069A436E0735229D32F532108A45407EF0DE7CABDADA1F7E39A0
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
    mysgw: !SGN:VER:NSG
    mysgw: !TSF:MSG:SIGN VERIFY FAIL
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
    mysgw: SGN:BND:NONCE=61F78D66E675349B8A63B1370E81D2D1AB44BC1D0BB1F988D6AAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=04EEE2B60E0C71CC092E13C68C07F3088D66F264A826C23426053C17C2353DED
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
    mysgw: SGN:BND:NONCE=627FAEEEFFFD6E55F371C07A54F785FDA3EE52EBD4092E0CE9AAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=65503227CDB04C1A2DCB03D0E5BAFD35A4EBA956E8EBA917B2DF40FB09520092
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
    mysgw: !SGN:BND:VER ONGOING
    mysgw: !SGN:VER:FAIL
    mysgw: !TSF:MSG:SIGN VERIFY FAIL
    mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
    mysgw: SGN:BND:NONCE=32CE07784E14ED2B6D455C2C5C4D83E025185970838C0B743AAAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=F04885315D93DB7FC95F3B190D68009055495ECEE698E0ADF6F50292157A8927
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
    mysgw: SGN:BND:NONCE=3DAAB19C10BB3CB8A08CDAACED4BFB385F1EB22AA9F926F940AAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=392AB4EAFDE59AC0CC9BE6EE667FC33A69A33E86AD5CB3EC49C6C114722941F5
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
    mysgw: SGN:SKP:MSG CMD=3,TYPE=16
    mysgw: SGN:SKP:MSG CMD=3,TYPE=17
    mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
    mysgw: SGN:NCE:XMT,TO=0
    mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
    mysgw: SGN:BND:NONCE=CF101801DA5324E2F66C3B9350E8FC2BCCBD337E3F588EBE2FAAAAAAAAAAAAAA
    mysgw: SGN:BND:HMAC=53795E79C8FE9D599D1A88363F7E2BA607ADBB265E4E99356886B65C3D0A06D0
    mysgw: SGN:VER:OK
    mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
    mysgw: !SGN:VER:NSG
    mysgw: !TSF:MSG:SIGN VERIFY FAIL


  • Contest Winner

    @pepson your gw is configured to require signing from all nodes.
    Your node 33 is set up to use signing. Your node 3 is not. Hence messages from node 3 will be rejected by the GW.
    Either set up all nodes to use signing or set up weak security on the GW to only require signing from nodes that require it in turn.
    This is documented behaviour. Please read the documentation. That is what it is for.



  • But still I don't know how use white listening...?


  • Contest Winner

    @pepson I suggest you avoid it. It require good tracking of all serials in your network and is part of the more advanced security mechanisms. And I suspect you will get issues when you add new nodes to your network as you cannot get it to work with just two nodes (you still have not enabled it on your gw). So just avoid whitelisting all together.



  • @anticimex
    OK but how I can get serial from my Node on Arduino Pro Mini?

    And when I want use chip AtSHA204A what I must change on my GW and on Node?
    Can I build GW on Rpi with this chip AtSHA204A?


  • Contest Winner

    @pepson Please. Read. The. Documentation.
    And no, atsha204a is not supported on rPi. Nor does it need to be.



  • @anticimex
    But still I don't know how read serial number from Node on Arduino Mini Pro when I want use White Listening...


 

374
Online

7.7k
Users

8.6k
Topics

92.3k
Posts